Securing your WordPress folders is crucial to safeguarding your website from unauthorized access and potential attacks. In this guide, we’ll walk you through essential steps to enhance the security of your WordPress directories using .htaccess rules and other methods.
Table of Contents
- Protect the
wp-config.php - FilePrevent Directory Browsing
- Restrict Access to the
wp-adminDirectory - Protect the
.htaccessFile - Block Access to
wp-includesFolder - Disable PHP Execution in Uploads Directory
- Disable XML-RPC
- Limit Access to the
wp-contentDirectory - Secure the
readme.htmlandlicense.txtFiles - Use Security Plugins
Protect the wp-config.php File
The wp-config.php file contains sensitive information like database credentials. Prevent direct access to this file by adding the following to your .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>
Prevent Directory Browsing
Directory browsing allows visitors to see the contents of your directories, which could expose sensitive information. Disable directory browsing by adding this line to your .htaccess file:
Options -Indexes
Restrict Access to the wp-admin Directory
Limit access to the wp-admin directory by IP address to enhance security. Add the following to your .htaccess file in the wp-admin directory:
<Limit GET POST>
order deny,allow
deny from all
allow from xx.xx.xx.xx
</Limit>Replace xx.xx.xx.xx with your IP address. You can add multiple allow from lines for additional IPs.
Protect the .htaccess File
Ensure that your .htaccess file itself is not accessible. Add the following to your .htaccess file:
<files .htaccess>
order allow,deny
deny from all
</files>Block Access to wp-includes Folder
The wp-includes folder should not be accessible directly. Add the following to your .htaccess file:
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>Disable PHP Execution in Uploads Directory
The uploads directory should only contain media files. Disable PHP execution in this directory by creating an .htaccess file in the wp-content/uploads directory with the following content:
<Files *.php>
deny from all
</Files>Disable XML-RPC
XML-RPC can be a security vulnerability. Disable it if you do not need it by adding the following to your .htaccess file:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>Limit Access to the wp-content Directory
Only allow access to specific file types in the wp-content directory by adding the following to your .htaccess file in the wp-content directory:
Order deny,allow
Deny from all
<Files ~ "\.(xml|css|js|jpe?g|png|gif|woff|woff2|ttf|svg|eot)$">
Allow from all
</Files>Secure the readme.html and license.txt Files
These files can provide attackers with information about your WordPress version. Add the following to your .htaccess file:
<FilesMatch "^(readme|license)\.(txt|html)$">
order deny,allow
deny from all
</FilesMatch>Use Security Plugins
Consider using security plugins such as Wordfence, Sucuri, or iThemes Security to enhance the security of your WordPress installation. These plugins offer features like firewall protection, malware scanning, and login security.
Conclusion
By implementing these measures, you can significantly improve the security of your WordPress folders and reduce the risk of unauthorized access and attacks. Always remember to keep your WordPress core, themes, and plugins updated to the latest versions to benefit from security patches and improvements.
By following this guide, you’ll fortify your WordPress site against common threats and keep your data secure. Happy securing!